diff options
author | Tomas Mraz <tomas@openssl.org> | 2021-01-20 14:01:01 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-01-26 15:26:49 +0100 |
commit | 0c8e98e615d3522592a5bde6fcef43e42eb70deb (patch) | |
tree | d4cde4d46f67f9d2baf6a5d9c7bf8982699d856f | |
parent | f377e58fde1a7e6b29067c48df7d3c04fdaeba38 (diff) |
Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)
-rw-r--r-- | crypto/x509/x509_cmp.c | 5 | ||||
-rw-r--r-- | ssl/s3_lib.c | 45 | ||||
-rw-r--r-- | ssl/ssl_local.h | 5 | ||||
-rw-r--r-- | ssl/tls_depr.c | 20 | ||||
-rw-r--r-- | test/helpers/handshake.c | 5 |
5 files changed, 20 insertions, 60 deletions
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index fb34d5cefc..579cac077b 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -407,9 +407,8 @@ static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) if (pkey == NULL || !EVP_PKEY_is_a(pkey, "EC")) return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; - if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - curve_name, sizeof(curve_name), - &curve_name_len)) + if (!EVP_PKEY_get_group_name(pkey, curve_name, sizeof(curve_name), + &curve_name_len)) return X509_V_ERR_SUITE_B_INVALID_CURVE; curve_nid = OBJ_txt2nid(curve_name); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 34980b0bc6..966d799d6b 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3430,29 +3430,6 @@ static char *srp_password_from_info_cb(SSL *s, void *arg) } #endif -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) -static int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, - EVP_PKEY *pkey) -{ - char name[80]; - int nid, ret = 0; - size_t name_len; - - if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - name, sizeof(name), &name_len)) { - SSLerr(0, EC_R_MISSING_PARAMETERS); - return 0; - } - nid = OBJ_txt2nid(name); - if (nid == NID_undef) - goto end; - ret = tls1_set_groups(pext, pextlen, &nid, 1); -end: - EVP_PKEY_free(pkey); - return ret; -} -#endif - static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len); long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) @@ -3503,22 +3480,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { - EVP_PKEY *pkecdh = NULL; - if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkecdh = ssl_ecdh_to_pkey(parg); - if (pkecdh == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return 0; - } return ssl_set_tmp_ecdh_groups(&s->ext.supportedgroups, &s->ext.supportedgroups_len, - pkecdh); + parg); } -#endif /* !OPENSSL_NO_EC */ +#endif case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* * TODO(OpenSSL1.2) @@ -3838,22 +3808,15 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { - EVP_PKEY *pkecdh = NULL; - if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkecdh = ssl_ecdh_to_pkey(parg); - if (pkecdh == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return 0; - } return ssl_set_tmp_ecdh_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, - pkecdh); + parg); } -#endif /* !OPENSSL_NO_EC */ +#endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->ext.servername_arg = parg; break; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 1819ccd981..810461bc51 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2468,9 +2468,8 @@ __owur int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, unsigned char **ctp, size_t *ctlenp, int gensecret); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); -# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) -__owur EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec); -# endif +__owur int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, + void *key); __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl); __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl); diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 68b007b12d..4ac7fcb916 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -162,18 +162,20 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) /* Some deprecated public APIs pass EC_KEY objects */ # ifndef OPENSSL_NO_EC -EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec) +int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, + void *key) { - EVP_PKEY *ret; + const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); + int nid; - if (ec == NULL) - return NULL; - ret = EVP_PKEY_new(); - if (EVP_PKEY_set1_EC_KEY(ret, ec) <= 0) { - EVP_PKEY_free(ret); - return NULL; + if (group == NULL) { + ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS); + return 0; } - return ret; + nid = EC_GROUP_get_curve_name(group); + if (nid == NID_undef) + return 0; + return tls1_set_groups(pext, pextlen, &nid, 1); } # endif #endif diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index 0711639fd1..e286df6cf0 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -1271,17 +1271,14 @@ static char *dup_str(const unsigned char *in, size_t len) static int pkey_type(EVP_PKEY *pkey) { -#ifndef OPENSSL_NO_EC if (EVP_PKEY_is_a(pkey, "EC")) { char name[80]; size_t name_len; - if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - name, sizeof(name), &name_len)) + if (!EVP_PKEY_get_group_name(pkey, name, sizeof(name), &name_len)) return NID_undef; return OBJ_txt2nid(name); } -#endif return EVP_PKEY_id(pkey); } |